Security expert and blogger Jeremiah Grossman uncovered a disturbing exploit in Safari 4 and 5. Enabled by default, Safari's AutoFill feature uses information from your Address Book card to automatically fill information in web forms. Handy in theory, but a web site with malicious intent can fairly easily get that information without the user ever entering anything into the site.

Advertisement

All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill'ed, it can be accessed and sent to the attacker.

If you're a Safari user, you'll probably want to make sure to turn off AutoFill now. You can read more about the exploit here. [Jeremiah Grossman]